Method and system for dynamic testing with diagnostic assessment of software security vulnerability

ABSTRACT

A method and system of applying a security vulnerability assessment of a software program. The method comprises directing, from a security assessing server, to a software program under execution, a plurality of attack vectors, diagnosing a set of results associated with the software program under execution as comprising a security vulnerability, the set of results produced based at least in part on the plurality of attack vectors, and assessing a monetary premium of a risk insurance policy merited by an enterprise based at least in part on a level of control ceded to an attacker in accordance with the set of results.

RELATED APPLICATION

This application is a continuation of U.S. Pat. Application No.16/525,207 filed on Jul. 29, 2019, said priority application beingincorporated by reference in its entirety.

TECHNICAL FIELD

The disclosure herein relates to software application securityvulnerability diagnosis and assessment, including web-based enterprisesoftware applications and websites.

BACKGROUND

Protection of safety-critical software platform infrastructures andsystems employed in healthcare, telecommunications, banking, and othercommercial and industrial uses remains a major challenge. In particular,cyberattacks can be unpredictable, and intended to compromise or inhibitsecure operation of an infrastructure or a critical component within theinfrastructure. Computer viruses, trojans, hackers, cryptographic keyrecovery attacks, malicious executables and bots may present a constantthreat to users of computers connected to public computer networks suchas the Internet and also private networks such as corporate computernetworks. In response to these threats, enterprise organizations maydeploy antivirus software and firewalls. However, such preventativeattempts may not always prove adequate.

Multiple commercial industry mandates and government regulationsnecessitate the security of sensitive and confidential data,particularly in regard to personally identifiable information.Particular security policy management functions may need to be enforced,with attendant reporting.

For enterprise organizations deploying safety-critical software systeminfrastructure and components, it is important to ensure that theirenterprise software applications and systems operate in a secure way andare robust and resilient with regard to cyberattacks performed via adata network. However, often the necessary software security assessmentstructure and solution may be missing or inadequate to assess currentsecurity aspects of a software system as deployed. Solutions arerequired to protect enterprise critical data from external threats byensuring integrity of the software systems and applications used inconducting commerce.

BRIEF DESCRIPTION OF THE DRAWINGS

The patent or application file contains at least one drawing executed incolor. Copies of this patent or patent application publication withcolor drawing(s) will be provided by the Office upon request and paymentof the necessary fee.

FIG. 1 illustrates, in an example embodiment, a cloud-based system fordynamic software security vulnerability assessment of web-based softwareapplications.

FIG. 2 illustrates, in one example embodiment, an architecture of acloud-based server computing system for dynamic software securityvulnerability assessment of web- based software applications.

FIG. 3 illustrates a method of operation, in one example embodiment, ofa server computing system for dynamic software security vulnerabilityassessment of web- based software applications.

DETAILED DESCRIPTION

Methods and systems provided herein advantageously enable a networked,cloud-based server device to dynamically access, diagnose and assesssecurity attributes, including resilience and vulnerability attributes,of a software application that is under execution. Solutions hereinprovide dynamic application security testing by subjecting the softwareapplication, while under execution, to directed attack vectors from ascanning application, identifying vulnerabilities, and generating adynamic security vulnerability score. As referred to herein, a softwareapplication includes web- based application programs as deployed,software as a service (SaaS), a cloud managed service providedapplication program.

In particular, methods and systems herein assess a dynamic securityvulnerability during execution of software application or program in itsrunning state. As used herein, the term “security vulnerability” means aprogramming error, feature or attribute that produces unintendedbehavior(s) and results in an application which may enable maliciouscode to bypass security features built into the application, whereupon,once the application’s security features are bypassed, the maliciouscode can use the application as a gateway for appropriating orcorrupting sensitive, protected, or confidential data.

The term “dynamic” as used herein refers to actions performed duringreal- time application program execution in one or more processors of acomputing device for its intended purpose.

Dynamic security vulnerability or risk can be diagnosed and scored orranked by utilizing various inputs, in some embodiments attack vectorsas provided herein, to induce unexpected execution results in order toquantify a security risk associated with a particular aspect of asoftware product, such as a security risk associated with exploitationof a security vulnerability that is inherent to the softwareapplication. In this manner, dynamic assessment and security riskscoring associated with exploitation of a security vulnerability for asoftware application can contribute to more effectively identifying,prioritizing, managing and pre-empting security risks to an enterpriseorganization.

Furthermore, a dynamic security vulnerability score as proposed hereinmay be used to determine whether and to what extent to trust a web-basedsoftware application including software as a service (SaaS)applications, a website or similar infrastructure and softwarecomponents. In other embodiments, the system can identify which of thevarious factors used in generating the security reliance score wouldhave the most impact on the security vulnerability diagnostic score,thus assisting and directing administrators or others to evaluate andimprove the impact of changes within an enterprise.

In accordance with a first example embodiment, a method of dynamictesting and diagnostic assessment of security vulnerability of cloud-orweb- based enterprise software applications is provided. The methodcomprises directing, to a software program under execution, a series ofattack vectors; diagnosing a set of results associated with the softwareexecution as constituting one of a security vulnerability and not asecurity vulnerability, the set of results produced based at least inpart on the attack vectors; and assessing a dynamic securityvulnerability score for the software program based at least in part onthe diagnosing.

In general, a higher dynamic security vulnerability score may becalculated or assessed in instances where a lower dynamic vulnerabilityscore indicates lower security risk in terms of higher resilience topotential dynamic security threats. On the other hand, a lower score maybe merited where the assessment indicates an increased security risk ora lessened resilience to potential software security threats.

In some embodiments, the dynamic security vulnerability score may be anaggregation of the set of results that constitute a securityvulnerability that is attributable to the series of attack vectors.

In one variation, the dynamic security vulnerability score may be basedon a weighted aggregation of the set of results constituting thesecurity vulnerability that is attributable to the respective ones ofthe series of attack vectors. In this variation, reportedvulnerabilities from different attack vectors would be weighteddifferently when assessing the score, since errors from certain attackvectors might be considered as having more serious potential andconsequences for security violations than others.

In some practical uses of the methods and systems herein, results of thediagnostic assessment and scoring may be used to certify a web- basedsoftware application, or a provider of such application, underprevailing and pre-established proprietary, industry or governmentalstandards pertaining to software security vulnerability.

In accordance with a second example embodiment, a non-transitory mediumstoring instructions executable in a processor of a server computingdevice is provided. The instructions are executable to assess a dynamicsecurity vulnerability score for a software application under executionby directing, to the software program under execution, a series ofattack vectors; diagnosing a set of results associated with the softwareexecution as constituting one of a security vulnerability and not asecurity vulnerability, the set of results produced based at least inpart on the attack vectors; and assessing a dynamic securityvulnerability score for the software program based at least in part onthe diagnosing.

In accordance with a third example embodiment, a server computing systemfor dynamic testing and diagnostic assessment of security vulnerabilityof cloud-or web- based enterprise software applications is provided. Thesystem comprises a server computing device that includes a memorystoring instructions and one or more processors for executing theinstructions stored thereon direct, to a software program underexecution, a series of attack vectors; diagnose a set of resultsassociated with the software execution as constituting one of a securityvulnerability and not a security vulnerability, the set of resultsproduced based at least in part on the attack vectors; and assess adynamic security vulnerability score for the software program based atleast in part on the diagnosing.

One or more embodiments described herein provide that methods,techniques, and actions performed by a computing device are performedprogrammatically, or as a computer-implemented method. Programmatically,as used herein, means through the use of code or computer-executableinstructions. These instructions can be stored in one or more memoryresources of the computing device.

Furthermore, one or more embodiments described herein may be implementedthrough the use of logic instructions that are executable by one or moreprocessors of a computing device, including a server computing device.These instructions may be carried on a computer-readable medium. Inparticular, machines shown with embodiments herein include processor(s)and various forms of memory for storing data and instructions. Examplesof computer-readable mediums and computer storage mediums includeportable memory storage units, and flash memory. A server computingdevice as described herein utilizes processors, memory, and logicinstructions stored on computer-readable medium. Embodiments describedherein may be implemented in the form of computer processor- executablelogic instructions or programs stored on computer memory mediums.

System Description

FIG. 1 illustrates, in an example embodiment, cloud-based system 100 fordynamic security diagnostic assessment of web- based enterprise softwareapplications currently under execution. Server computing system ordevice 101 includes software security dynamic assessment module 105embodied according to computer processor- executable instructions storedwithin a non-transitory memory. Server 101 is in communication viacommunication network 104 with computing device 102. Computing device102, which may be a server computing device in some embodiments, mayhost enterprise software program or application 106 for executionthereon. Software program 106 in another embodiment may be a web- basedapplication program. Database 103, for example storing enterprise dataaccessible to software application 106 under execution, iscommunicatively accessible to computing device 102.

FIG. 2 illustrates, in an example embodiment, architecture 200 of servercomputing system 101 hosting software security dynamic assessment module105 for security diagnostic assessment of enterprise softwareapplications. Server computing system or device 101, also referred toherein as server 101, may include processor 201, memory 202, displayscreen 203, input mechanisms 204 such as a keyboard orsoftware-implemented touchscreen input functionality, and communicationinterface 207 for communicating via communication network 104. Memory202 may comprise any type of non-transitory system memory, storinginstructions that are executable in processor 201, including such as astatic random access memory (SRAM), dynamic random access memory (DRAM),synchronous DRAM (SDRAM), read-only memory (ROM), or a combinationthereof.

Software security dynamic assessment module 105 includes processor-executable instructions stored in memory 202 of server 101, theinstructions being executable in processor 201. Software securitydynamic assessment module 105 may comprise portions or sub-modulesincluding attack vectors module 210, dynamic vulnerability diagnosticmodule 211 and dynamic vulnerability scoring module 212.

Processor 201 uses executable instructions of attack vectors module 210to direct, to a software program under execution, a series of attackvectors.

In an embodiment, the software program comprises a cloud based softwareprogram that is communicative accessible to the security assessingserver during the execution. The scanning application at server 101directing the attack vectors may have no foreknowledge of the executionattributes of the software application under execution. For example, thescanning application may not have, nor does it need, access to sourcecode of the application under execution, but is configured by way of theattack vectors to detect vulnerabilities by actually performing attacks.Identifying and targeting the application may be based partly on havingacquired no prior knowledge of execution attributes and source code ofthe software application. The terms “application” and “program” are usedinterchangeably herein.

A series of attack descriptions, or an attack vectors as referred toherein, constituted of script code in some embodiments, can be accessedfrom a data store such as a database or from memory 202 of server device101. The attack description may be constituted of a data set,constituted of script code in some embodiments, that encodes an attackor attempt to exploit or otherwise compromise a security vulnerabilityof the software program 106 under execution. For example, inembodiments, the attack description can include an identifier of a classor type of attack, a data value or group of data values that will beincluded within the attack data set, a reference to a particular attackdata set, or a copy of an attack data set.

In an embodiment, one or more attack vectors of the series comprises adata set that encodes an attempt to exploit a security vulnerabilityaspect of the software application under execution.

In some variations, the data set may include one or more of anidentifier of a class and a type of attack, a data value, a group ofdata values, a reference to a predetermined attack data set, and a copyof an attack data set.

Processor 201 uses executable instructions stored in dynamicvulnerability diagnostic module 211 to diagnose a set of resultsassociated with the software execution as whether respective ones of theresults constitute a dynamic security vulnerability or not, the set ofresults being produced based at least in part on the attack vectors asdirected to the software program during execution.

In some aspects, the security vulnerability may relate to one or more ofa cross-site scripting, a SQL injection, a path disclosure, a denial ofservice, a memory corruption, a code execution, a cross-site requestforgery, a PHP injection, a Javascript injection and a buffer overflow.

In some embodiments, diagnosing a security vulnerability comprises thesoftware application providing an error response indicating that atleast one attack vector in the series of attack vectors successfullyexploited a security vulnerability of the application.

In some cases, based on a result of the dynamic testing, a scanner inaccordance with server 101 deploying the attack vectors may not report adynamic security vulnerability for the application. In such cases, theapplication would have nullified the attack data set, thus pre-emptingor preventing a security vulnerability, and accordingly provided anerror response to indicate that a requested service or operation couldnot be executed because some input, for instance the attack data set,was improper. The dynamic security vulnerability diagnosis in this casewould not report a security vulnerability for the application becausethe application did not use the attack data set in a manner that wouldallow exploitation of the targeted security vulnerability.

Processor 201 uses executable instructions stored in dynamicvulnerability scoring module 212 to assess a dynamic securityvulnerability score for the software program based at least in part onthe diagnosing.

In some embodiments, the dynamic security vulnerability score may be anaggregation of the set of results constituting a security vulnerabilitythat is attributable to the series of attack vectors.

In one variation, the dynamic security vulnerability score may be basedon a weighted aggregation of the set of results constituting thesecurity vulnerability that is attributable to the respective ones ofthe series of attack vectors. In this variation, reportedvulnerabilities from different attack vectors would be weighteddifferently when assessing the score, as some errors from differentattack vectors might be considered as having more serious potential andconsequences for security violations than others.

In embodiments, a higher security vulnerability diagnostic score may bedetermined or assigned in instances where the particular attributecontributes to, or indicates, a lower security risk or greaterresilience to potential security threats. On the other hand, a lowerscore may be merited where assessment of a given attribute contributesto, or indicates, an increased security risk or a lessened resilience topotential software security threats.

It is contemplated that a security vulnerability score or similarsecurity assessment may be applied to, and associated with a particularsoftware provider, or even a SaaS enterprise user, in accordance withdynamic testing techniques as provided herein. In some aspects, securityperformance indicators may be assigned or determined for a given corpsof programmers, or even for individual programmers, who deploy theweb-based software, or contributed in definable ways to development ofthe software application. Such performance indicators may be assigned orderived at least in part based on the software security dynamic testingand assessment techniques disclosed herein. Software securityperformance indicators may be tracked and updated, for example using keyperformance indicator (KPI) measurements of dynamic securityvulnerability instances.

In some aspects, the dynamic vulnerability scores may be correlated withperformance criteria in accordance with pre-established proprietary,industry or governmental standards. Where such pre-established standardsprovide for certifications, such certifications may be applied orawarded to those software applications that merit, in accordance withthe pre-established standards, requirements for software securityvulnerability or resilience attributes based on the dynamic testing andscoring techniques disclosed herein. In such certification context,assigning a certification status to the software program may be based atleast in part on the dynamic security vulnerability score in conjunctionwith the pre-established certification standard.

In embodiments, a higher dynamic security vulnerability diagnostic scoremay be determined or assigned in instances where the particularattribute contributes to, or indicates, a lower security risk or greaterresilience to potential security threats. On the other hand, a lowerscore may be merited where assessment of a given attribute contributesto, or indicates, an increased security risk or a lessened resilience topotential software security threats.

In related embodiments, higher dynamic security vulnerability scores maybe correlated with a higher potential for compromise of sensitiveenterprise data by way of data corruption or unauthorized appropriation,a level of control ceded to an attacker, an amount of financial damagecaused to an enterprise using, selling or distributing the softwareprogram, and a level of commercial integrity harm to an enterpriseusing, distributing or selling the software program. Based on suchcorrelating, monetary premiums of a risk insurance policy may beassessed for an enterprise using, selling or distributing the web- basedsoftware program, commensurate with the potential harm to theenterprise, including monetary and commercial reputation or integrityharm considerations.

In certain aspects, dynamic security vulnerability scores as proposedherein may be used to determine whether and to what extent to trust anenterprise web-based software application, website or similarinfrastructure and software components. In related embodiments, thetechniques disclosed herein may be used to identify which of the variousfactors used in generating the dynamic security score would have themost critical software security impact, thus assisting and directingsystem administrators and others evaluate and improve the impact ofchanges.

Methodology

FIG. 3 illustrates, in an example embodiment, method 300 of operation ofa server computing system 101 for dynamic security diagnostic assessmentof web- based software applications, method 300 being performed by oneor more processors 201 of server computing device 101. In describing theexample of FIG. 3 , reference is made to the examples of FIG. 1 and FIG.2 for purposes of illustrating suitable components or elements forperforming a step or sub-step being described.

Examples of method steps described herein relate to the use of server101 for implementing the techniques described. According to oneembodiment, the techniques are performed by software security dynamicassessment module 105 of server 101 in response to the processor 201executing one or more sequences of software logic instructions thatconstitute software security dynamic assessment module 105. Inembodiments, software security dynamic assessment module 105 may includethe one or more sequences of instructions within sub-modules includingattack vectors module 210, dynamic vulnerability diagnostic module 211and dynamic vulnerability scoring module 212. Such instructions may beread into memory 202 from machine-readable medium, such as memorystorage devices. In executing the sequences of instructions contained inattack vectors module 210, dynamic vulnerability diagnostic module 211and dynamic vulnerability scoring module 212 of software securitydynamic assessment module 105 in memory 202, processor 201 performs theprocess steps described herein. In alternative implementations, at leastsome hard-wired circuitry may be used in place of, or in combinationwith, the software logic instructions to implement examples describedherein. Thus, the examples described herein are not limited to anyparticular combination of hardware circuitry and software instructions.

At step 310, processor 201 executes instructions of attack vectorsmodule 210 to direct, from security assessing server 101, a series ofattack vectors to software program under execution 106 at computingdevice 102.

In an embodiment, the software program comprises a cloud based softwareprogram that is communicative accessible to the security assessingserver during the execution. The scanning application at server 101directing the attack vectors may have no foreknowledge of the executionattributes of the software application under execution. For example, thescanning application may not have access to source code of theapplication under execution, but is configured by way of the attackvectors to detect vulnerabilities by actually performing attacks.Identifying and targeting the application may be based partly on havingacquired no prior knowledge of execution attributes and source code ofthe software application.

In some embodiments, a series of attack descriptions, or an attackvectors as referred to herein, constituted of script code, can beaccessed from a data store such as a database or from memory 202 ofserver device 101. the attack description may be constituted of as adata set that encodes an attack or attempt to exploit a securityvulnerability of the software program 106 under execution. For example,in embodiments, the attack description can include an identifier of aclass or type of attack, a data value or group of data values that willbe included within the attack data set, a reference to a particularattack data set, or a copy of an attack data set.

In an embodiment, one or more attack vectors of the series may include adata set that encodes an attempt to exploit a security vulnerabilityaspect of the software application under execution.

In some variations, the data set may include one or more of anidentifier of a class and a type of attack, a data value, a group ofdata values, a reference to a predetermined attack data set, and a copyof an attack data set.

At step 320, processor 201 of server computing device 101 executesinstructions included in dynamic vulnerability diagnostic module 211 todiagnose a set of results associated with the software execution as towhether respective ones of the results constitute a securityvulnerability or not, the set of results being produced based at leastin part on the attack vectors.

In some aspects, the security vulnerability may relate to one or more ofa cross-site scripting, a SQL injection, a path disclosure, a denial ofservice, a memory corruption, a code execution, a cross-site requestforgery, a PHP injection, a Javascript injection and a buffer overflow.

In some embodiments, diagnosing a security vulnerability comprises thesoftware application providing an error response indicating that atleast one attack vector in the series of attack vectors successfullyexploited a security vulnerability of the application.

In some cases, based on a result of the dynamic testing, a scanner inaccordance with server 101 deploying the attack vectors may not report adynamic security vulnerability for the application. In such cases, theapplication would have nullified the attack data set, thus pre-emptingor preventing a security vulnerability, and accordingly provided anerror response to indicate that a requested service or operation couldnot be executed because some input, for instance the attack data set,was improper. The dynamic security vulnerability diagnosis in this casewould not report a security vulnerability for the application becausethe application did not use the attack data set in a manner that wouldallow exploitation of the targeted security vulnerability.

At step 330, processor 201 executes instructions included in dynamicvulnerability scoring module 212, to assess a dynamic securityvulnerability score for the software program based at least in part onthe diagnosing

In some embodiments, the dynamic security vulnerability score may be anaggregation of the set of results constituting a security vulnerabilitythat is attributable to the series of attack vectors.

In one variation, the dynamic security vulnerability score may be basedon a weighted aggregation of the set of results constituting thesecurity vulnerability that is attributable to the respective ones ofthe series of attack vectors. In this variation, reportedvulnerabilities from different attack vectors would be weighteddifferently when assessing the score, as some errors from differentattack vectors might be considered as having more serious potential andconsequences for security violations than others.

In embodiments, a higher security vulnerability diagnostic score may bedetermined or assigned in instances where the particular attributecontributes to, or indicates, a lower security risk or greaterresilience to potential security threats. On the other hand, a lowerscore may be merited where assessment of a given attribute contributesto, or indicates, an increased security risk or a lessened resilience topotential software security threats.

It is contemplated that a security vulnerability score or similarsecurity assessment may be applied to, and associated with a particularsoftware provider, or even a SaaS enterprise user, in accordance withdynamic testing techniques as provided herein. In some aspects, securityperformance indicators may be assigned or determined for a given corpsof programmers, or even for individual programmers, who deploy theweb-based software, or contributed in definable ways to development ofthe software application. Such performance indicators may be assigned orderived at least in part based on the software security dynamic testingand assessment techniques disclosed herein. Software securityperformance indicators may be tracked and updated, for example using keyperformance indicator (KPI) measurements of dynamic securityvulnerability instances.

In some embodiments, the dynamic vulnerability scores may be correlatedwith performance criteria in accordance with pre-establishedproprietary, industry or governmental standards. Where suchpre-established standards provide for certifications, suchcertifications may be applied or awarded to those software applicationsthat merit, in accordance with the pre-established standards,requirements for software security vulnerability or resilienceattributes based on the dynamic testing and scoring techniques disclosedherein. In such certification context, assigning a certification statusto the software program may be based at least in part on the dynamicsecurity vulnerability score in conjunction with the pre-establishedcertification standard.

In related embodiments, higher dynamic security vulnerability scores maybe correlated with a higher potential for compromise of sensitiveenterprise data by way of data corruption or unauthorized appropriation,a level of control ceded to an attacker, an amount of financial damagecaused to an enterprise using, selling or distributing the softwareprogram, and a level of commercial integrity harm to an enterpriseusing, distributing or selling the software program. Based on suchcorrelating, monetary premiums of a risk insurance policy may beassessed for an enterprise using, selling or distributing the web- basedsoftware program, commensurate with the potential harm to theenterprise, including monetary and commercial reputation or integrityharm considerations.

It is contemplated that embodiments described herein extend toindividual elements and concepts described herein, as well as forembodiments to include combinations of elements recited anywhere in thisapplication. Although embodiments are described in detail herein withreference to the accompanying drawings, it is to be understood that theinvention is not limited to only such example embodiments. As such, manymodifications and variations will be apparent to practitioners skilledin the art. Accordingly, it is intended that the scope of the inventionbe defined by the following claims and their equivalents. Furthermore,it is contemplated that a particular feature described eitherindividually or as part of an embodiment can be combined with otherindividually described features, or parts of other embodiments, even ifthe other features and embodiments make no mention of the particularfeature. Thus, the absence of describing combinations should notpreclude the inventors from claiming rights to such combinations.

What is claimed is:
 1. A method of applying a security vulnerabilityassessment of a software program, the method comprising: directing, froma security assessing server, to a software program under execution, aplurality of attack vectors; diagnosing a set of results associated withthe software program under execution as comprising a securityvulnerability, the set of results produced based at least in part on theplurality of attack vectors; and assessing a monetary premium of a riskinsurance policy merited by an enterprise based at least in part on alevel of control ceded to an attacker in accordance with the set ofresults.
 2. The method of claim 1 wherein the software program comprisesan enterprise software program that is communicatively accessible to thesecurity assessing server during the execution, the security assessingserver having acquired no a priori knowledge of execution attributes ofthe software program prior to the execution.
 3. The method of claim 1further comprising determining a dynamic security vulnerability scorefor the software program under execution based at least in part on thediagnosing.
 4. The method of claim 3 further comprising awarding acertification status to the software program under execution based atleast in part on the dynamic security vulnerability score in accordancewith a pre-established certification standard.
 5. The method of claim 4wherein the pre-established certification standard includes at least oneof an industry mandated, a proprietary and a government mandatedcertification standards.
 6. The method of claim 3 wherein the dynamicsecurity vulnerability score comprises an aggregation of the set ofresults constituting the security vulnerability that is attributable tothe plurality of attack vectors.
 7. The method of claim 6 wherein thedynamic security vulnerability score comprises a weighted aggregation ofthe set of results constituting the security vulnerability that isattributable to the respective ones of the plurality of attack vectors.8. The method of claim 1 wherein at least one attack vector of theplurality comprises a data set that encodes an attempt to exploit asecurity vulnerability aspect of the software program under execution.9. The method of claim 8 wherein the data set includes at least one ofan identifier of a class and a type of attack, a data value, a group ofdata values, a reference to a predetermined attack data set, and a copyof an attack data set.
 10. The method of claim 1 wherein the diagnosingof the security vulnerability comprises the software program providingan error response indicating that at least one attack vector in theplurality of attack vectors successfully exploited a securityvulnerability of the software program under execution.
 11. A servercomputing system comprising: a processor; a non-transitory memorystoring instructions, the instructions when executed causing theprocessor to implement operations comprising: directing, from a securityassessing server, to a software program under execution, a plurality ofattack vectors; diagnosing a set of results associated with the softwareprogram under execution as comprising a security vulnerability, the setof results produced based at least in part on the plurality of attackvectors; and assessing a monetary premium of a risk insurance policymerited by an enterprise based at least in part on a level of controlceded to an attacker in accordance with the set of results.
 12. Theserver computing system of claim 11 wherein the software programcomprises an enterprise software program that is communicativelyaccessible to the security assessing server during the execution, thesecurity assessing server having acquired no a priori knowledge ofexecution attributes of the software program prior to the execution. 13.The server computing system of claim 11 further comprising instructionscausing the processor to implement operations including determining adynamic security vulnerability score for the software program underexecution based at least in part on the diagnosing.
 14. The servercomputing system of claim 13 further comprising instructions causing theprocessor to implement operations including awarding a certificationstatus to the software program under execution based at least in part onthe dynamic security vulnerability score in accordance with apre-established certification standard.
 15. The server computing systemof claim 14 wherein the pre-established certification standard includesat least one of an industry mandated, a proprietary and a governmentmandated certification standards.
 16. The server computing system ofclaim 13 wherein the dynamic security vulnerability score comprises anaggregation of the set of results constituting the securityvulnerability that is attributable to the plurality of attack vectors.17. The server computing system of claim 16 wherein the dynamic securityvulnerability score comprises a weighted aggregation of the set ofresults constituting the security vulnerability that is attributable tothe respective ones of the plurality of attack vectors.
 18. The servercomputing system of claim 11 wherein at least one attack vector of theplurality comprises a data set that encodes an attempt to exploit asecurity vulnerability aspect of the software program under execution.19. The server computing system of claim 18 wherein the data setincludes at least one of an identifier of a class and a type of attack,a data value, a group of data values, a reference to a predeterminedattack data set, and a copy of an attack data set.
 20. The servercomputing system of claim 11 wherein the diagnosing of the securityvulnerability comprises the software program providing an error responseindicating that at least one attack vector in the plurality of attackvectors successfully exploited a security vulnerability of the softwareprogram under execution.